/// <summary>
/// Authorizes and filters events based on authorization
/// </summary>
/// <param name="consumer">The event consumer</param>
/// <param name="cloudEvents">The list of events</param>
/// <returns>A list of authorized events</returns>
public async Task <List <CloudEvent> > AuthorizeEvents(ClaimsPrincipal consumer, List <CloudEvent> cloudEvents)
{
XacmlJsonRequestRoot xacmlJsonRequest = CloudEventXacmlMapper.CreateMultiDecisionRequest(consumer, cloudEvents);
XacmlJsonResponse response = await _pdp.GetDecisionForRequest(xacmlJsonRequest);
List <CloudEvent> authorizedEventsList = new List <CloudEvent>();
foreach (XacmlJsonResult result in response.Response)
{
if (DecisionHelper.ValidateDecisionResult(result, consumer))
{
string eventId = string.Empty;
// Loop through all attributes in Category from the response
foreach (XacmlJsonCategory category in result.Category)
{
var attributes = category.Attribute;
foreach (var attribute in attributes)
{
if (attribute.AttributeId.Equals(AltinnXacmlUrns.EventId))
{
eventId = attribute.Value;
}
}
}
// Find the instance that has been validated to add it to the list of authorized instances.
CloudEvent authorizedEvent = cloudEvents.First(i => i.Id == eventId);
authorizedEventsList.Add(authorizedEvent);
}
}
return(authorizedEventsList);
}
/// <summary>
/// Authorize instances, and returns a list of instances that the user has the right to read.
/// </summary>
public async Task <List <Instance> > AuthorizeInstances(ClaimsPrincipal user, List <Instance> instances)
{
if (instances.Count <= 0)
{
return(instances);
}
List <Instance> authorizedInstanceList = new List <Instance>();
List <string> actionTypes = new List <string> {
"read"
};
XacmlJsonRequestRoot xacmlJsonRequest = CreateMultiDecisionRequest(user, instances, actionTypes);
XacmlJsonResponse response = await _pdp.GetDecisionForRequest(xacmlJsonRequest);
foreach (XacmlJsonResult result in response.Response)
{
if (DecisionHelper.ValidateDecisionResult(result, user))
{
string instanceId = string.Empty;
// Loop through all attributes in Category from the response
foreach (XacmlJsonCategory category in result.Category)
{
var attributes = category.Attribute;
foreach (var attribute in attributes)
{
if (attribute.AttributeId.Equals(AltinnXacmlUrns.InstanceId))
{
instanceId = attribute.Value;
}
}
}
Instance instance = instances.FirstOrDefault(i => i.Id == instanceId);
authorizedInstanceList.Add(instance);
}
}
return(authorizedInstanceList);
}
/// <summary>
/// Authorize instances, and returns a list of MesseageBoxInstances with information about read and write rights of each instance.
/// </summary>
public async Task <List <MessageBoxInstance> > AuthorizeMesseageBoxInstances(ClaimsPrincipal user, List <Instance> instances)
{
if (instances.Count <= 0)
{
return(new List <MessageBoxInstance>());
}
List <MessageBoxInstance> authorizedInstanceeList = new List <MessageBoxInstance>();
List <string> actionTypes = new List <string> {
"read", "write"
};
_logger.LogInformation($"// AuthorizationHelper // AuthorizeMsgBoxInstances // User: {user}");
_logger.LogInformation($"// AuthorizationHelper // AuthorizeMsgBoxInstances // Instances count: {instances.Count()}");
_logger.LogInformation($"// AuthorizationHelper // AuthorizeMsgBoxInstances // Action types: {actionTypes}");
XacmlJsonRequestRoot xacmlJsonRequest = CreateMultiDecisionRequest(user, instances, actionTypes);
_logger.LogInformation($"// AuthorizationHelper // AuthorizeMsgBoxInstances // xacmlJsonRequest: {JsonConvert.SerializeObject(xacmlJsonRequest)}");
XacmlJsonResponse response = await _pdp.GetDecisionForRequest(xacmlJsonRequest);
foreach (XacmlJsonResult result in response.Response)
{
if (DecisionHelper.ValidateDecisionResult(result, user))
{
string instanceId = string.Empty;
string actiontype = string.Empty;
// Loop through all attributes in Category from the response
foreach (XacmlJsonCategory category in result.Category)
{
var attributes = category.Attribute;
foreach (var attribute in attributes)
{
if (attribute.AttributeId.Equals(XacmlResourceActionId))
{
actiontype = attribute.Value;
}
if (attribute.AttributeId.Equals(AltinnXacmlUrns.InstanceId))
{
instanceId = attribute.Value;
}
}
}
// Find the instance that has been validated to add it to the list of authorized instances.
Instance authorizedInstance = instances.FirstOrDefault(i => i.Id == instanceId);
// Checks if the instance has already been authorized
if (authorizedInstanceeList.Any(i => i.Id.Equals(authorizedInstance.Id.Split("/")[1])))
{
// Only need to check if the action type is write, because read do not add any special rights to the MessageBoxInstane.
if (actiontype.Equals("write"))
{
authorizedInstanceeList.Where(i => i.Id.Equals(authorizedInstance.Id.Split("/")[1])).ToList().ForEach(i => i.AuthorizedForWrite = i.AllowDelete = true);
}
}
else
{
MessageBoxInstance messageBoxInstance = InstanceHelper.ConvertToMessageBoxInstance(authorizedInstance);
if (actiontype.Equals("write"))
{
messageBoxInstance.AuthorizedForWrite = true;
messageBoxInstance.AllowDelete = true;
}
authorizedInstanceeList.Add(messageBoxInstance);
}
}
}
return(authorizedInstanceeList);
}